Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts.
“Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection,” Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis.
“The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware.”
HardBit, which first emerged in October 2022, is a financially motivated threat actor that, similar to other ransomware groups, operates with an aim to generate illicit revenues via double extortion tactics.
What makes the threat group stand out is that it does not operate a data leak site, and instead pressurizes victims to pay up by threatening to conduct additional attacks in the future. Its primary mode of communication occurs over the Tox instant messaging service.
The exact initial access vector used to breach target environments is currently not clear, although it’s suspected to involve brute-forcing RDP and SMB services.
The follow-up steps encompass performing credential theft using tools like Mimikatz and NLBrute, and network discovery via utilities such as Advanced Port Scanner, allowing the attackers to laterally move across the network by means of RDP.
“Having compromised a victim host, the HardBit ransomware payload is executed and performs a number of steps that reduce the security posture of the host before encrypting victim data,” Varonis noted in its technical write-up about HardBit 2.0 last year.
Encryption of the victim hosts is carried out by deploying HardBit, which is delivered using a known file infector virus called Neshta. It’s worth noting that Neshta has been used by threat actors in the past to also distribute Big Head ransomware.
HardBit is also designed to disable Microsoft Defender Antivirus and terminate processes and services to evade potential detection of its activities and inhibit system recovery. It then encrypts files of interest, updates their icons, changes desktop wallpaper, and alters the system’s volume label with string “Locked by HardBit.”
Besides being offered to operators in the form of command-line or GUI versions, the ransomware requires an authorization ID in order for it to be successfully executed. The GUI flavor further supports a wiper mode to irrevocably erase files and wipe the disk.
“Once threat actors successfully input the decoded authorization ID, HardBit prompts for an encryption key to encrypt the files on the target machines and it proceeds with ransomware procedure,” Cybereason noted.
“Wiper mode feature needs to be enabled by the HardBit Ransomware group and the feature is likely an additional feature that operators need to purchase. If the operators need wiper mode, the operator would need to deploy hard.txt, an optional configuration file of HardBit binary and contains authorization ID to enable wiper mode.”
The development comes as cybersecurity firm Trellix detailed a CACTUS ransomware attack that has been observed exploiting security flaws in Ivanti Sentry (CVE-2023-38035) to install the file-encrypting malware using legitimate remote desktop tools like AnyDesk and Splashtop.
Ransomware activity continues to “remain on an upward trend” in 2024, with ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886 attacks reported year-over-year. LockBit, Akira, and BlackSuit have emerged as the most prevalent ransomware families during the time period, Symantec said.
According to Palo Alto Networks’ 2024 Unit 42 Incident Response report, the median time it takes to go from compromise to data exfiltration plummeted from nine days in 2021 to two days last year. In almost half (45%) of cases this year, it was just under 24 hours.
“Available evidence suggests that exploitation of known vulnerabilities in public-facing applications continues to be the main vector for ransomware attacks,” the Broadcom-owned company said. “Bring Your Own Vulnerable Driver (BYOVD) continues to be a favored tactic among ransomware groups, particularly as a means of disabling security solutions.”
